You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@libcloud.apache.org by "Tomaz Muraus (JIRA)" <ji...@apache.org> on 2013/01/26 07:25:13 UTC

[dev] [jira] [Commented] (LIBCLOUD-283) Allow SSL_CERT_FILE env to point to location of CA certificates

    [ https://issues.apache.org/jira/browse/LIBCLOUD-283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13563383#comment-13563383 ] 

Tomaz Muraus commented on LIBCLOUD-283:
---------------------------------------

I'm always very careful when touching the code which could affect security, but after giving it more though I think this change should be fine and it doesn't really change the attack vector.

One change I would to to your patch is to only use file provided by this environment variable without failing back to other common paths if the provided one doesn't exist / is not available.

Without doing that, a typo or missing file could potentially cause a security issue because we would fall back to other common locations which could potentially result in a more permissive CA bundle.

In any case, I will still wait for feedback from more people before merging this patch.
                
> Allow SSL_CERT_FILE env to point to location of CA certificates
> ---------------------------------------------------------------
>
>                 Key: LIBCLOUD-283
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-283
>             Project: Libcloud
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Erinn Looney-Triggs
>            Priority: Minor
>              Labels: patch
>         Attachments: 0001-Allow-CA-location-to-be-overriden-with-SSL_CERT_FILE.patch
>
>
> One of the problems that Linux distributions have is a lack of a centralized certificate store for CAs. Couple this with different locations for different distros (as well as different formats, NSS etc.) and it can get to be a pain pretty easily. 
> Currently libcloud has a small set of hard coded locations that are searched for a CA bundle. This patch adds the ability to set the SSL_CERT_FILE environment variable to point to a given location and that file will be used as the CA store. This increases the flexibility in terms of platforms that can use libcloud. 
> openssl, as well as ruby use the same variable to locate their CA files (if needed). 
> Security has been raised as a potential issue here. I can't speak with a great deal of authority on this. It appears to me that an attacker with the level of access required to do this would be able to subvert any program in any other number of ways as well. As usual flexibility will need to be weighed against security.
> github pull request here: https://github.com/apache/libcloud/pull/90/files
> -Erinn

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira